The vulnerability centres on Slack’s incoming webhooks, which let users post messages from various applications to Slack. If the user specifies a unique URL, a message body text and a destination channel, they can send a message to any webhook that they know the URL of in any workspace, regardless of their membership.

The Slack vulnerability was uncovered by Alien Labs cloud security researcher Ashley Graves, who said that although webhooks are considered a low-risk integration – the user must select a target channel, which reduces the scope of abuse, the webhook URL is secret, and webhooks only accept data, so cannot, on their own, expose data – this is not entirely accurate.

In a disclosure blog, Graves said a channel override could enable a malicious user to override the previously specified webhook target channel by adding the “channel” key to their JSON payload.

“If you gain access to a webhook for one channel, you can use it in others,” she wrote. “Considering sending to #general, #engineering and other default or common channels to target a wider audience.” Graves added that in some cases, this could override channel posting permissions – like admin-only posting.

“Slack documentation suggests that allowed target channels are based on the original creator of the webhook,” she said. “So if you can find a webhook created by an admin – congrats, you can post to admin channels.”

Graves said a quick scan of GitHub had thrown up more than 130,000 public code results that contained Slack webhook URLs, most of them containing the full unique value.

This puts organisations at risk of targeted phishing attacks. In such a scenario, an attacker would take these leaked URLs, create a malicious Slack app and allow its public installation, bombard the leaked webhooks with malicious messages, then track who installed the malicious application and use it to exfiltrate their data.

Security teams can mitigate this possibility today by activating options within Slack that let them manage users’ Slack applications by whitelisting them and requiring any new ones to go through Slack’s own app security review process before approval.

The use of additional security analytics capabilities will also add an extra defensive layer, said Graves, allowing security teams to spot events such as multiple people installing the same app in a short period of time, installation of apps using high-risk scopes, and uncommon calls that could be used for data exfiltration.

A Slack spokesperson responded to the disclosure, saying: “Webhooks are credential tools that provide access to posting functionality within a workspace. Though data cannot be exposed through webhooks on Slack, we do recommend that workspace owners or admins invalidate publicly exposed webhook URLs and generate new ones.

“To help Slack admins with that diligence, we proactively scrape GitHub for publicly exposed webhooks and invalidate them. Webhooks are safe as long as they remain secret since the webhook URL itself is unguessable. We also recommend workspace owners and admins use these best practices for storing credentials safely and that they review this guide to sending messages using incoming webhooks.”

Slack reiterated that it provides further features to enable security teams to conduct effective oversight of app installation and use within workspaces, as recommended by Graves.

The full disclosure blog, containing further information on malicious Slack applications, can be found here.

Content Continues Below

Download this free guide

Getting Cloud Security Right

Let's face it, cloud security can be done very wrong. Let's learn to do it right.
Regular Computer Weekly contributor Peter Ray Allison explores this issue, weighing up the questions organisations should be asking of their cloud service providers, and whose responsibility cloud security should be.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.